Package: clamav-freshclam Version: 0.103.2+dfsg-2 Severity: normal File: /etc/apparmor.d/usr.bin.freshclam Usertags: apparmor
Whenever freshclam gets restarted, either manually or automatically during package upgrades, I get an apparmor denial in the logs. I haven't seen any adverse effects from this denial. Reading the capabilities(7) manual page where CAP_DAC_READ_SEARCH is mentioned, there doesn't seem to be any reason for freshclam to need this capability so I don't think the freshclam binary should be using this capability. I note that the clamav codebase doesn't mention this capability at all. I note that the apparmor profile mentions dac_override and a comment next to that mentions a Launchpad bug that explains this is for the AllowSupplementaryGroups option, which is disabled by default. I wonder if whatever allows that to work has switched from dac_override to dac_read_search, but I'm still not sure why freshclam should also be using that capability. https://manpages.debian.org/capabilities https://launchpad.net/bugs/433764 May 23 08:16:39 sudo[95446]: pabs : TTY=pts/7 ; PWD=/home/pabs ; USER=root ; COMMAND=/usr/sbin/service clamav-freshclam restart May 23 08:16:39 sudo[95446]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) May 23 08:16:39 kernel: audit: type=1400 audit(1621728999.029:77): apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=95452 comm="freshclam" capability=2 capname="dac_read_search" May 23 08:16:39 audit[95452]: AVC apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=95452 comm="freshclam" capability=2 capname="dac_read_search" May 23 08:16:39 freshclam[95358]: Update process terminated May 23 08:16:39 sudo[95446]: pam_unix(sudo:session): session closed for user root May 23 08:16:39 systemd[1]: Stopping ClamAV virus database updater... May 23 08:16:39 systemd[1]: clamav-freshclam.service: Succeeded. May 23 08:16:39 freshclam[95452]: ClamAV update process started at Sun May 23 08:16:39 2021 May 23 08:16:39 freshclam[95452]: daily.cld database is up-to-date (version: 26178, sigs: 3982081, f-level: 63, builder: raynman) May 23 08:16:39 freshclam[95452]: main.cld database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) May 23 08:16:39 freshclam[95452]: bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) May 23 08:16:39 systemd[1]: Stopped ClamAV virus database updater. May 23 08:16:39 systemd[1]: Started ClamAV virus database updater. -- Package-specific info: --- configuration --- Checking configuration files in /etc/clamav Config file: clamd.conf ----------------------- AlertExceedsMax disabled PreludeEnable disabled PreludeAnalyzerName = "ClamAV" LogFile = "/var/log/clamav/clamav.log" LogFileUnlock disabled LogFileMaxSize = "4294967295" LogTime = "yes" LogClean disabled LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate = "yes" ExtendedDetectionInfo = "yes" PidFile disabled TemporaryDirectory = "/tmp" DatabaseDirectory = "/var/lib/clamav" OfficialDatabaseOnly disabled LocalSocket = "/var/run/clamav/clamd.ctl" LocalSocketGroup = "clamav" LocalSocketMode = "666" FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "15" StreamMaxLength = "10485760" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "12" ReadTimeout = "180" CommandReadTimeout = "5" SendBufTimeout = "200" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = "yes" SelfCheck = "3600" ConcurrentDatabaseReload = "yes" DisableCache disabled VirusEvent disabled ExitOnOOM disabled AllowAllMatchScan = "yes" Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = "clamav" Bytecode = "yes" BytecodeSecurity = "TrustSigned" BytecodeTimeout = "60000" BytecodeUnsigned disabled BytecodeMode = "Auto" DetectPUA disabled ExcludePUA disabled IncludePUA disabled ScanPE = "yes" ScanELF = "yes" ScanMail = "yes" ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" HeuristicAlerts = "yes" HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" AlertBrokenExecutables disabled AlertBrokenMedia disabled AlertEncrypted disabled StructuredCCOnly disabled AlertEncryptedArchive disabled AlertEncryptedDoc disabled AlertOLE2Macros disabled AlertPhishingSSLMismatch disabled AlertPhishingCloak disabled AlertPartitionIntersection disabled ScanPDF = "yes" ScanSWF = "yes" ScanXMLDOCS = "yes" ScanHWP3 = "yes" ScanArchive = "yes" ForceToDisk disabled MaxScanTime = "120000" MaxScanSize = "104857600" MaxFileSize = "26214400" MaxRecursion = "16" MaxFiles = "10000" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760" MaxHTMLNoTags = "2097152" MaxScriptNormalize = "5242880" MaxZipTypeRcg = "1048576" MaxPartitions = "50" MaxIconsPE = "100" MaxRecHWP3 = "16" PCREMatchLimit = "10000" PCRERecMatchLimit = "5000" PCREMaxFileSize = "26214400" OnAccessMountPath disabled OnAccessIncludePath disabled OnAccessExcludePath disabled OnAccessExcludeRootUID disabled OnAccessExcludeUID disabled OnAccessExcludeUname disabled OnAccessMaxFileSize = "5242880" OnAccessDisableDDD disabled OnAccessPrevention disabled OnAccessExtraScanning disabled OnAccessCurlTimeout = "5000" OnAccessMaxThreads = "5" OnAccessRetryAttempts disabled OnAccessDenyOnError disabled DevACOnly disabled DevACDepth disabled DevPerformance disabled DevLiblog disabled DisableCertCheck disabled AlgorithmicDetection = "yes" BlockMax disabled PhishingAlwaysBlockSSLMismatch disabled PhishingAlwaysBlockCloak disabled PartitionIntersection disabled OLE2BlockMacros disabled ArchiveBlockEncrypted disabled Config file: freshclam.conf --------------------------- LogFileMaxSize = "4294967295" LogTime disabled LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate = "yes" PidFile disabled DatabaseDirectory = "/var/lib/clamav/" Foreground disabled Debug disabled UpdateLogFile = "/var/log/clamav/freshclam.log" DatabaseOwner = "clamav" Checks = "24" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "db.local.clamav.net", "database.clamav.net" PrivateMirror disabled MaxAttempts = "5" ScriptedUpdates = "yes" TestDatabases = "yes" CompressLocalDatabase disabled ExtraDatabase disabled ExcludeDatabase disabled DatabaseCustomURL disabled HTTPProxyServer disabled HTTPProxyPort disabled HTTPProxyUsername disabled HTTPProxyPassword disabled HTTPUserAgent disabled NotifyClamd = "/etc/clamav/clamd.conf" OnUpdateExecute disabled OnErrorExecute disabled OnOutdatedExecute disabled LocalIPAddress disabled ConnectTimeout = "30" ReceiveTimeout = "30" Bytecode = "yes" clamav-milter.conf not found Software settings ----------------- Version: 0.103.2 Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON Database information -------------------- Database directory: /var/lib/clamav/ WARNING: freshclam.conf and clamd.conf point to different database directories bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 23:21:51 2021 main.cld: version 59, sigs: 4564902, built on Mon Nov 25 21:56:15 2019 daily.cld: version 26178, sigs: 3982081, built on Sat May 22 19:06:55 2021 Total number of signatures: 8688222 Platform information -------------------- uname: Linux 5.10.0-7-amd64 #1 SMP Debian 5.10.38-1 (2021-05-20) x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 Full OS version: Debian GNU/Linux 11 (bullseye) zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x0a217b7b08000000000a0201 Build information ----------------- GNU C: 10.2.1 20210110 (10.2.1) CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2 CFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 LDFLAGS: -Wl,-z,relro -Wl,-z,now -Wl,--as-needed Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security' sizeof(void*) = 8 Engine flevel: 123, dconf: 123 --- data dir --- total 635564 -rw-r--r-- 1 clamav clamav 1438720 Mar 8 23:55 bytecode.cld drwxr-xr-x 2 clamav clamav 4096 Sep 4 2017 clamav-b20b7008eebb4b9e94a5ddaf4a41c8e7.tmp -rw-r--r-- 1 clamav clamav 324139520 May 22 19:45 daily.cld -rw-r--r-- 1 clamav clamav 307403264 Nov 26 2019 main.cld -rw------- 1 clamav clamav 69 Apr 13 12:24 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Sep 24 2020 tmp.a8a4c -- System Information: Debian Release: 11.0 APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental'), (500, 'testing-security') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-7-amd64 (SMP w/8 CPU threads) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages clamav-freshclam depends on: ii clamav-base 0.103.2+dfsg-2 ii debconf [debconf-2.0] 1.5.75 ii dpkg 1.20.9 ii libc6 2.31-12 ii libclamav9 0.103.2+dfsg-2 ii logrotate 3.18.0-2 ii lsb-base 11.1.0 ii procps 2:3.3.17-5 ii ucf 3.0043 Versions of packages clamav-freshclam recommends: ii ca-certificates 20210119 Versions of packages clamav-freshclam suggests: ii apparmor 2.13.6-10 pn clamav-docs <none> -- debconf information: * clamav-freshclam/LogRotate: true * clamav-freshclam/autoupdate_freshclam: daemon * clamav-freshclam/local_mirror: db.local.clamav.net * clamav-freshclam/update_interval: 24 * clamav-freshclam/NotifyClamd: true * clamav-freshclam/PrivateMirror: clamav-freshclam/internet_interface: * clamav-freshclam/http_proxy: * clamav-freshclam/Bytecode: true * clamav-freshclam/SafeBrowsing: false clamav-freshclam/proxy_user: -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
